REMARKS 

In this reply, no claims are amended, added, or cancelled. Therefore, Claims 1-7, 9-1 1, 13-23, 
and 25-28 are pending in the application. 

SUMMARY OF THE REJECTIONS 

Claims 1-7, 17-23 and 25-28 were rejected under 35 U.S.C. §102(e) as being anticipated, 
allegedly, by Exton, et al., U.S. Patent No. 6,910,041 ("Exton"). 

Claims 9-1 1 and 13-16 were rejected under 35 U.S.C. §102(e) as being anticipated, allegedly, 
by Bell, et al, U.S. Patent No. 6,880,005 ("Bell"). 

All of these rejections are traversed, respectfully, for at least the reasons discussed below. 

REJECTIONS OF CLAIMS 1-7, 17-23, AND 25-28 

The portions of Exton that are alleged to disclose the features of Claim 1 do not actually do 
so. Instead, these portions discuss how a process authenticates a user (step 602) and receives, a 
request (step 604), The request specifies an operation and a resource. The process determines 
whether any entry in an access control list (ACL) matches the user (step 662). If there is a matching 
entry, then further steps (steps 666 and so on) are performed. Altematively, if there is no matching 
entry, then an error is returned (steps 664 and 610). 

Although the cited portions of Exton discuss matching a user to an entry in an ACL, they 
contain absolutely no discussion of determining whether a sub-entry in a first ACL is equivalent to a 
sub-entry in a second ACL as required by Claim 1 ("determining whether each first sub-entry in the 
first access control list is equivalent to at least one of the second sub-entries"). Exton does not 
compare sub-entries of two separate ACLs like the method of Claim 1 does. The "user" discussed in 
the cited portions of Exton is not an ACL entry or sub-entry, and is not derived fi^om an ACL entry 
or sub-entry. 
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The method of Claim 1 is used to deteraaine whether two separate ACLs are functionally 
equivalent to each other ("programmatically determining whether a first access control list is 
functionally equivalent to a second access control list"). The approach discussed in the cited 
portions of Exton cannot be used to make such a determination. Exton's approach never determines 
whether two separate ACLs are functionally equivalent. Instead, the approach discussed in the cited 
portions of Exton merely uses a single ACL to determine whether a particular user has permission to 
perform a specified operation relative to a specified resource. 

In short, the approach disclosed in the cited portions of Exton has nothing to do with 
determining whether two separate ACLs are functionally equivalent. The approach disclosed in the 
cited portions of Exton does not involve the comparison of sub-entries from separate ACLs as the 
method of Claim 1 does. 

For at least the above reasons, Claim 1 is patentable over Exton. 

Claims 17, 25, and 26 are computer-readable medium, system, and poUcy server versions, 
respectively, of Claim 1. Therefore, Claims 17, 25, and 26 are patentable over Exton for at least the 
reasons set forth above relative to Claim 1. 

Claims 2-7 depend from Claim 1. Claims 18-23 depend from Claim 17. Claims 27 and 28 
depend firom Claim 26. By virtue of their dependence fi"om the independent claims fi-om which they 
depend, these dependent claims comprise the distinguished features of the independent claims from 
which they depend. Therefore, Claims 2-7, 18-23, 27, and 28 are patentable over Exton for at least 
the reasons set forth above relative to Claims 1,17, and 26. 

REJECTIONS OF CLAIMS 9-11 AND 13-16 

Among other features. Claim 9 requires the identification of all overlapping dimensional 
ranges of entries in an ACL ("identifying all overlapping dimensional ranges in the first access 
control list"). Dimensional ranges are discussed in paragraph [0042] of the application, for example. 



50325-0629 (Seq. No. 4830) 



3 



Some examples of dimensional ranges discussed therein are source address ranges and destination 
address ranges. It is well known that a range is a continuum of values that begins at one specified 
value and ends at another specified value. 

However, there is absolutely no discussion of the identification of overlapping ranges of any 
kind in the vast portion of Bell cited in the Office Action. The cited portion generally discusses 
creating ACLs, but never discloses the identification of overlapping ranges specified in the entries of 
such ACLs. 

It appears that the Office Action is merely citing a large chunk of arcane but irrelevant text, 
which happens to refer to ACLs, in the remote hope that at least some part of that chunk might 
somehow be construed by someone to mean something similar to what is recited in Claim 9. 
However, despite the formidable size of the cited portion, there is no mention whatsoever, in any 
form, of the identification of overlapping ranges of any kind therein. 

Although source IP address masks and destination IP address masks are mentioned in the 
cited portion, Bell does not disclose, teach, or suggest the identification of ranges that comprise the 
values that occur where these masks overlap. Although the cited portion refers to the combination of 
entries to form filters, it is not necessary to identify overlapping ranges in order to perform such a 
combination. 

Claim 9 is very specific about what an "overlapping dimensional range" is. Claim 9 
specifically recites that "each overlapping dimensional range" corresponds "to where the 
dimensional ranges of entries in the first access control list overlap." Thus, for example, if a first 
entry specified a range of 1 to 5, and if a second entry specified a range of 3 to 7, then the 
overlapping range would be identified as 3 to 5. The result of identifying an overlapping range is 
itself also a range. 

In identifying an overlapping range, it is necessary to identify an actual range of values so 
that other steps of Claim 9 can be performed (e.g., "determining whether each identified overlapping 
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. . . dimensional range identified from the first access control list is contained by or equal to a 
dimensional range of entries in a second access control list.") Due at least to the language "each 
overlapping dimensional range corresponding to where the dimensional ranges of entries . . . 
overlap" in Claim 9, it does not suffice merely to identify whether or not two ranges overlap. The 
phrase "identifying all overlapping ranges" in Claim 9 requires that the actual values that define an 
overlapping range — in other words, the intersection of two ranges that overlap — ^be identified. 
Unless the actual values that define the overlapping range are determined, there can be no 
determination of whether such an overlapping range is contained by or equal to another range in 
another ACL. 

There is no discussion, in the cited portion of Bell, of identifying an overlapping range 
(comprising the intersection of two ranges — i.e., "where the ranges overlap" — rather than the mere 
union of the two ranges) and then determining whether that overlapping range is contained by or 
equal to another range. Bell does not disclose, teach, or suggest identifying where two ranges 
overlap. Therefore, Bell does not disclose, teach, or suggest "identifying all overlapping 
dimensional ranges in the first access control list" as recited in Claim 9. 

The cited portion of Bell also does not disclose, teach, or suggest "identifying all non- 
overlapping dimensional ranges in the first access control list" as recited in Claim 9. 

For at least the above reasons. Claim 9 is patentable over Bell. 

Claims 10, 1 1, and 13-16 depend from Claim 9. By virtue of their dependence from Claim 9, 
these dependent claims comprise the features of Claim 9 distinguished from Bell above. Therefore, 
Claims 10, 1 1, and 13-16 are patentable over Bell for at least the reasons set forth above relative to 
Claim 9. 
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CONCLUSION 

For the reasons set forth above, it is respectfully submitted that all of the pending claims are 
now in condition for allowance. Therefore, the issuance of a formal Notice of Allowance is believed 
next in order, and that action is most eamestly solicited. 

The Examiner is respectfully requested to contact the undersigned by telephone if it is 
believed that such contact would further the examination of the present application. 

If any applicable fee is missing or insufficient, throughout the pendency of this appUcation, 
the Commissioner is hereby authorized to any applicable fees and to credit any overpayments to our 
Deposit Account No. 50-1302. 



Respectfully submitted, 



HICKMAN PALERMO TRUONG & BECKER LLP 





Christian A. Nicholes 



Reg. No. 50,266 



2055 Gateway Place, Suite 550 
San Jose, CaUfomia 95 11 0- 1 089 
Telephone No.: (408)414-1080 
Facsimile No.: (408)414-1076 
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